The vulnerability CVE-2026-32735 affects the Chrimle openapi-to-java-records-mustache-templates-parent project, specifically versions >=3.1.1 and <3.5.1. This project provides a parent POM file that centralizes plugin configurations for multiple unit-test modules and uses the maven-dependency-plugin to unpack .mustache template files from the openapi-to-java-records-mustache-templates artifact. The core issue is improper input validation (CWE-20) because the parent POM blindly unpacks any .mustache files present in the artifact without verifying their integrity or origin. If an attacker compromises the openapi-to-java-records-mustache-templates artifact repository or injects malicious .mustache files into the artifact, these files would be automatically unpacked during dependency updates by users relying on the parent POM. This could lead to supply chain attacks where malicious templates are introduced into the build or test environment, potentially enabling code execution or other malicious activities during build processes. However, the parent POM is not intended for external or production use and mainly supports testing and maintainability, limiting the scope of impact. The vulnerability was addressed in version 3.5.1 of the parent POM by removing or securing the unpacking process. No known exploits have been reported in the wild, and the CVSS 4.0 score is low (2.3), reflecting the limited attack surface and impact. Users are strongly advised to avoid using the parent POM externally and to upgrade to the patched version to mitigate this risk.

The primary impact of this vulnerability is a potential supply chain risk where malicious .mustache template files could be introduced into the build environment if the openapi-to-java-records-mustache-templates artifact is compromised. This could lead to unintended code execution or manipulation during build or test phases, potentially affecting software integrity and developer environments. However, since the parent POM is intended only for internal testing and maintainability and not for production use, the risk to production systems is minimal. Organizations using this parent POM externally or in automated build pipelines could inadvertently expose themselves to this risk. The vulnerability does not affect confidentiality, availability, or integrity of deployed applications directly but could undermine trust in the build process and introduce malicious code early in the software development lifecycle. The absence of known exploits and the low CVSS score indicate a limited immediate threat, but the potential for supply chain compromise warrants attention, especially for organizations with strict build security requirements.

1. Avoid using the openapi-to-java-records-mustache-templates-parent POM externally or in production environments, as it is intended only for testing and maintainability. 2. Upgrade to version 3.5.1 or later of the parent POM, which addresses the vulnerability by securing or removing the unsafe unpacking of .mustache files. 3. Implement strict artifact repository security controls to prevent unauthorized modification or injection of malicious files into dependencies. 4. Use artifact signing and verification mechanisms (e.g., Maven’s GPG signature verification) to ensure the integrity and authenticity of downloaded artifacts. 5. Incorporate supply chain security tools that scan dependencies for known vulnerabilities and suspicious content. 6. Review and restrict automated build processes to limit unpacking or execution of untrusted files during dependency resolution. 7. Educate development teams about the risks of using testing or internal-only components in production or external-facing projects. 8. Monitor dependency updates for unexpected changes in artifacts, especially those involving template files or scripts.